conformance-ipsec-e2e: run leak check before/after key rotation

This is because we saw a racing issue if leak detection covers the whole rotation + conn-disrupt-check: cilium connectivity will remove conn-disrupt pods in the end of connectivity test, leaving some linger packets recognized as leaked traffic. This commit avoids the issue by running leak checks separately for key rotation and after-rotation test. Signed-off-by: Julian Wiedmann <jwi@isovalent.com> Signed-off-by: gray <gray.liang@isovalent.com>
cilium · Jun 10, 2024 · 4e2a66d · 4e2a66d
1 parent 230c200
commit 4e2a66d
Showing 1 changed file with 30 additions and 2 deletions.
diff --git a/.github/workflows/conformance-ipsec-e2e.yaml b/.github/workflows/conformance-ipsec-e2e.yaml
@@ -338,6 +338,15 @@ jobs:
             --junit-property github_job_step="Run tests (${{ join(matrix.*, ', ') }})" \
             --flush-ct
 
+      - name: Assert that no unencrypted packets are leaked
+        uses: ./.github/actions/bpftrace/check
+
+      - name: Start unencrypted packets check for key rotation
+        uses: ./.github/actions/bpftrace/start
+        with:
+          script: ./.github/actions/bpftrace/scripts/check-ipsec-leaks.bt
+          args: ${{ steps.bpftrace-params.outputs.params }} "false"
+
       - name: Setup conn-disrupt-test before rotating (${{ join(matrix.*, ', ') }})
         uses: ./.github/actions/conn-disrupt-test-setup
 
@@ -349,12 +358,31 @@ jobs:
           key-type-two: ${{ matrix.key-type-two }}
           encryption-overlay: ${{ matrix.encryption-overlay }}
 
+      - name: Assert that no unencrypted packets are leaked during key rotation
+        uses: ./.github/actions/bpftrace/check
+
       - name: Check conn-disrupt-test after rotating (${{ join(matrix.*, ', ') }})
         uses: ./.github/actions/conn-disrupt-test-check
+
+      - name: Start unencrypted packets check for tests
+        uses: ./.github/actions/bpftrace/start
         with:
-          full-test: 'true'
+          script: ./.github/actions/bpftrace/scripts/check-ipsec-leaks.bt
+          args: ${{ steps.bpftrace-params.outputs.params }} "true"
 
-      - name: Assert that no unencrypted packets are leaked
+      - name: Run tests (${{ join(matrix.*, ', ') }})
+        shell: bash
+        run: |
+          mkdir -p cilium-junits
+
+          ./cilium-cli connectivity test --include-unsafe-tests --collect-sysdump-on-failure \
+            --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \
+            --sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-<ts>" \
+            --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \
+            --junit-property github_job_step="Run tests (${{ join(matrix.*, ', ') }})" \
+            --flush-ct
+
+      - name: Assert that no unencrypted packets are leaked during tests
         uses: ./.github/actions/bpftrace/check
 
       - name: Fetch artifacts